S\ United States Patent and Trademark Office 



UNITED STATES DEPARTMENT OF COMMERCE 
United States Patent and Trademark OfTIce 
Address: COMMISSIONER FOR PATENTS 
P.O. Box 1450 

Alexandria, Virginia 22313-1450 
www.uspto.gov 



APPLICATION NO. 



FILING DATE 



FIRST NAMED INVENTOR 



ATTORNEY DOCKET NO. 



CONFIRMATION NO. 



09/848,870 



05/04/2001 



28422 7590 11/10/2004 

HOYT a. FLEMING III 
P.O. BOX 140678 
BOISE, ID 83714 



David M. Zendzian 



DMZO 1-0001 



8372 



EXAMINER 



SIMITOSKI, MICHAEL J 



ART UNIT 



PAPER NUMBER 



2134 

DATE MAILED: 11/10/2004 



Please find below and/or attached an Office communication concerning this application or proceeding. 



PTO-90C (Rev. 10/03) 





Application No. 

09/848,870 


Applicant(s) 

2ENDZIAN, DAVID M. 


Examiner 

Michael J Simitoski 


Art Unit 

2134 




-- The MAILING DA TE of this communication appears on the cover sheet with the correspondence ao 


Jdress - 



Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 



- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S. C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent ierm adjustment. See 37 CFR 1 .704(b). 

Status 

1 )^ Responsive to communication(s) filed on 04 May 2001 . 
2a)\Z\ This action is FINAL. 2b)S This action is non-final. 

3) 0 Since this application is in condition for allowance except for fornnal matters, prosecution as to the nnerits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) K Claim(s) 1-39 is/are pending in the application. 

4a) Of the above clainn(s) is/are withdrawn from consideration. 

5) 0 Claim{s) is/are allowed. 

6) K Claim(s) 1-28 is/are rejected. 
?)□ Claim(s) is/are objected to, 

8) K Claim(s) 29-39 are subject to restriction and/or election requirement. 

Application Papers 

9) 0 The specification Is objected to by the Examiner. 

10)^ The drawing(s) filed on 04 May 2001 is/are: a)^ accepted or b)^ objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 

Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1 .121 (d). 
1 1 )□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12)n Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)n All b)n Some * c)^ None of: 

1 .□ Certified copies of the priority documents have been received. 

2. n Certified copies of the priority documents have been received in Application No. . 

3. n Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 



Attachment(s) 

1) S Notice of References Cited (PTO-892) 

2) O Notice of Draftsperson's Patent Drawing Review (PTO-948) 

3) S Infomiation Disclosure Statement(s) (PTO-1449 or PTO/SB/08) 

Paper No(s)/Mail Date 1/10/02 , 



4) n Interview Summary (PTO-413) 

Paper No(s)/Mail Date. . 

5) □ Notice of Informal Patent Application (PTO-152) 

6) □ Other: . 



U.S. Patent and Trademark Office 
PTOL-326 (Rev. 1-04) 



Office Action Summary 



Part of Paper No./Mail Date 10252004 



Application/Control Number: 09/848,870 Page 2 

Art Unit: 2134 

DETAILED ACTION 

1 . The IDS of 1/10/02 was received and considered. 

2. Claims 1-39 are pending. 

Election/Restrictions 

3. Restriction to one of the following inventions is required under 35 U.S.C. 121: 

I. Claims 1-28 are directed to a system for displaying network data, classified in 

class 713, subclass 183. 
IL Claims 29-39 are directed to a system for verifying software through a hash, 

classified in class 713, subclass 179. 

4. Inventions I and II are related as sub combinations disclosed as usable together in a single 
combination. The sub combinations are distinct fi-om each other if they are shown to be 
separately usable. In the instant case, inventions I and II have separate utility in that Group I has 
utility where a request to display data is verified via a password, not requiring a coded record; 
Group II has utility in authenticating a piece of software, not requiring password verification. 
See MPEP§ 806.05(d). 

Because these inventions are distinct for the reasons given above and have acquired a 
separate status in the art as shown by their different classification, restriction for examination 
purposes as indicated is proper. 

Applicant is advised that the reply to this requirement, to be complete, must include an 
election of the invention to be examined even though the requirement be traversed (37 CFR 
1.143). 

5. During a telephone conversation with Hoyt Fleming (208-336-5237) on 10/20/2004 a 
provisional election was made without traverse to prosecute the invention of Invention I, claims 
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1-28. Affirmation of this election must be made by applicant in replying to this Office action. 
Claims 29-39 are withdrawn from further consideration by the examiner, 37 CFR 1. 142(b), as 
being drawn to a non-elected invention. 

Claim Rejections - 35 USC § 112 

6. The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

7. Claims 3-4 & 16-17 are rejected under 35 U.S.C. 112, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. 

Regarding claims 3 & 16, it is unclear whether the "request for network data", "network 
data" or both "includes the name of a gateway server". For the purposes of this Office Action, 
the ''request for network data " is understood to include the name of a gateway server. 

Regarding claims 4 17, it is unclear whether the "request for network data", "network 
data" or both "includes the name of a monitoring server". For the purposes of this Office Action, 
the ''request for network data'' is understood to include the name of a monitoring server. 

Claim Rejections - 35 USC §103 

8. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 



Application/Control Number: 09/848,870 
Art Unit: 2134 



Page 4 



9. Claims 1-2, 8-13 & 28 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
"Using User Authentication" by Apache in view of "Free On-Line Dictionary of Computing" by 
LinuxGuruz, in further view of U.S. Patent Application Publication 2002/0147801 to GuUotta et 
al. (GuUotta). 

Regarding claims 1, 2, 8, 11, 13 & 28, Apache discloses entering a request for the 
network data into a computer/browser, creating a network data request/authorization header, 
transmitting the network data request/authorization header from the computer/browser to a 
server/ Apache web server (p. 1, ^1-2 & p. 5, P-6), verify ing/checking the network data request 
by comparing the network data request to criteria (checking the password) (p. 5, 112-6), obtaining 
the network data/page, creating a data response/page, transmitting the data response/page from 
the server/ Apache web server to the computer (p. 5, 1|2-6). Apache does not expUcitly disclose 
displaying the network data/web page. However, LinuxGuruz teaches that a web browser is a 
piece of software specifically used to display html pages to a person (§browser). Therefore, it 
would have been obvious to one having ordinary skill in the art at the time the invention was 
made to display the network data/web page. One of ordinary skill in the art would have been 
motivated to perform such a modification to use a web browser, as taught by LinuxGuruz. 
Apache, as modified above, lacks specifically a business rule. However, GuUotta teaches that 
RBAC is a form of provisioning that gives a use access to files based on a person's role in an 
organization (^9) to improve efficiency (T|8). Therefore, it would have been obvious to one 
having ordinary skill in the art at the time the invention was made to verify the request by 
comparing the request/authorization header to criteria defined by a business rule. One of 
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ordinary skill in the art would have been motivated to perform such a modification to improve 
efficiency, as taught by GuUotta (1|8-9). 

Regarding claim 9, Apache, as modified above, lacks comparing a user ID to criteria 
defined by a business rule. However, LinuxGuruz teach that a user ID is commonly used to 
identify a user of a computer or group of computers (§user identifier). Therefore, it would have 
been obvious to one having ordinary skill in the art at the time the invention was made to 
compare a user ID against criteria defined by a business rule. One of ordinary skill in the art 
would have been motivated to perforai such a modification to allow a computer to identify a 
user, as taught by LinuxGuruz (§user identifier) to establish role-based permissions, as modified 
above by GuUotta 8-9), 

Regarding claim 10, Apache, as modified above, lacks explicitly comparing the 
organization of a user to criteria defined by a business rule. However, GuUotta teaches that a 
monitoring system can manage multiple organizations and as such, a user in a given organization 
will be restricted from accessing other organizations' data (1168). Therefore, it would have been 
obvious to one having ordinary skill in the art at the time the invention was made to compare the 
organization of a user to criteria defined by a business rule. One of ordinary skill in the art 
would have been motivated to perform such a modification to manage multiple organizations, as 
taught by GuUotta (1|68). 

Regarding claim 12, Apache discloses controlling access/ verifying a request by 
comparing information that identifies the computer/hostname (p. 5, Ijl). 
10. Claims 3-4 are.rejected under 35 U.S.C. 103(a) as being unpatentable over Apache, 
LinuxGuruz & GuUotta, as appUed to claim 1 above, in further view of U.S. Patent 5,586,260 to 
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Hu. Apache, as modified above, lacks including the name of a server in the request for data. 
However, Hu teaches that a client can call a proxy server to retrieve data from a server on behalf 
of the cHent (col. 1, lines 50-59) to allow authentication with no knowledge of the server's 
security protocol (col 1, lines 41-44). Therefore, it would have been obvious to one having 
ordinary skill in the art at the time the invention was made to include identification of the 
server/proxy in the request. One of ordinary skill in the art would have been motivated to 
perform such a modification to allow authentication with no knowledge of the server's security 
protocol, as taught by Hu (col. 1, lines 41-59). Apache, as modified, but lacks explicitly 
including the "name" of a server. However, the examiner takes Official Notice that identifying a 
computer by "computer name" is old and well established in the art of computer networking as a 
method of identifying individual computers. Therefore, it would have been obvious to one 
having ordinary skill in the art at the time the invention was made to include in the request the 
name of the server (rather than, for instance, an IP address). One of ordinary skill in the art 
would have been motivated to perform such a modification to identify the individual servers. 
This advantage is well known to those skilled in the art. 

1 1 . Claims 5-6 are rejected under 35 U.S.C. 103(a) as being unpatentable over Apache, 
LinuxGuruz & GuUotta, as apphed to claim 1 above, in further view of Network Securitv, A 
Beginner's Guide by Maiwald. Apache, as modified above, lacks encrypting the network data 
request. However, Maiwald teaches that encryption allows authorized users to see information 
while hiding it from unauthorized individuals (p. 208). Maiwald further teaches that private key 
encryption (symmetric key) is the most widely used type of encryption (p. 21 1). Therefore, it 
would have been obvious to one having ordinary skill in the art at the time the invention was 
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made to encrypt the network data request with a first private key. One of ordinary skill in the art 
would have been motivated to perform such a modification to hide the data from unauthorized 
users, as taught by Maiwald (pp. 208-21 1). 

12. Claim 7 is rejected under 35 U.S.C. 103(a) as being unpatentable over Apache, 
LinuxGuruz & GuUotta, as applied to claim 1 above, in further view of Applied Cryptography, 
Second Edition by Schneier. Apache, as modified above, lacks encrypting the network data 
request via a first private key and a second private key. However, Maiwald teaches that 
encryption allows authorized users to see information while hiding it from unauthorized 
individuals (p. 208). Maiwald further teaches that private key encryption (symmetric key) is the 
most widely used type of encryption (p. 211). Therefore, it would have been obvious to one 
having ordinary skill in the art at the time the invention was made to encrypt the network data 
request with a first private key. One of ordinary skill in the art would have been motivated to 
perform such a modification to hide the data from unauthorized users, as taught by Maiwald (pp. 
208-21 1). Further, Schneier teaches that multiple encryptions improve the security of a block 
algorithm (pp. 357-358). Therefore, it would have been obvious to one having ordinary skill in 
the art at the tinie the invention was made to further encrypt the network data request with a 
second private key. One of ordinary skill in the art would have been motivated to perform such a 
modification to improve the security of the network data request, as taught by Schneier (pp. 357- 
358). 

13. Claims 14-17 & 27 are rejected under 35 U.S.C. 103(a) as being unpatentable over Hu in 
view of LinuxGuruz. 
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Regarding claims 14-15 & 27, Hu discloses entering a request for the network data into a 
computer, creating a first network data request, transmitting the first network data request from 
the computer/client to a first server/proxy (col 1, lines 19-24 & lines 50-67), 
verify ing/authenticating the first network data request (col. 1, lines 60-67), creating a second 
network data request, transmitting the second network data request from the first server/proxy to 
a second server, verifying the second network data request (col. 2, lines 26-41), obtaining the 
network data (Fig. 4, #64), creating a first data response (Fig. 4, #66) transmitting the first data 
response from the second server to the first server/proxy (Fig. 4, #66), creating a second data 
response and transmitting the second data response from the first server/proxy to the 
computer/client (Fig. 4, #68). Hu lacks verifying the first data response and verifying the second 
data response. However Hu states that in some cases, the client will require that the server be 
authenticated (col. 1, lines 18-25). Therefore, it would have been obvious to one having ordinary 
skill in the art at the time the invention was made to verify the first and second data responses. 
One of ordinary skill in the art would have been motivated to perform such a modification to 
authenticate the server to the client, as taught by Hu (col. 1, lines 18-25). As modified, Hu lacks 
explicitly displaying the data. However, LinuxGuruz teaches that computer uses view data 
received from web servers in browser (§browser). Therefore, it would have been obvious to one 
having ordinary skill in the art at the time the invention was made to display the received data 
using a browser. One of ordinary skill in the art would have been motivated to perform such a 
modification to view web pages, as taught by LinuxGuruz (§browser). 

Regarding claims 16-17, Hu, as modified above, discloses the client identifying the 
gateway/monitoring server, but lacks explicitly including the "name" of a monitoring server. 
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However, the examiner takes Official Notice that identifying a computer by "computer name" is 
old and well established in the art of computer networking as a method of identifying individual 
computers. Therefore, it would have been obvious to one having ordinary skill in the art at the 
time the invention was made to include in the request the name of the server (rather than, for 
instance, an IP address). One of ordinary skill in the art would have been motivated to perform 
such a modification to identify the individual servers. This advantage is well known to those 
skilled in the art. 

14. Claims 18-20 are rejected under 35 U.S.C. 103(a) as being unpatentable over Hu in view 
of LinuxGuruz, as applied to claim 14 above, in farther view of Schneier. 

Regarding claims 18-19, Hu, as modified above, lacks encrypting the network data 
request via a first private key. However, Schneier teaches that to digitally sign a document, the 
document is encrypted with a private key (p. 37, 1|3). Therefore, it would have been obvious to 
one having ordinary skill in the art at the time the invention was made to encrypt the data request 
via a first private key. One of ordinary skill in the art would have been motivated to perform 
such a modification to digitally sign the data request, as taught by Schneier (p. 37, p). 

Regarding claim 20, Hu, as modified above, lacks encrypting the network data request 
via a first private key and a second private key. However, Schneier teaches that to digitally sign 
a document, the document is encrypted with a private key (p. 37, ^13). Schneier further teaches 
that a document can be signed by multiple users by signing the document once and then signing 
the signature (p. 39, §Multiple Signatures). Therefore, it would have been obvious to one having 
ordinary skill in the art at the time the invention was made to encrypt the network data request 
via a first private key and a second private key. One of ordinary skill in the art would have been 
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motivated to perform such a modification to digitally sign the request with multiple signatures, 
as taught by Schneier (pp. 37-39). 

15. Claims 21-24 are rejected under 35 U.S.C. 103(a) as being unpatentable over Hu in view 
of LinuxGuruz, as applied to claim 14 above, in further view of GuUotta. 

Regarding claims 21 & 24, Hu, as modified above, lacks comparing the requested 
network data to criteria defined by a business rule. However, GuUotta teaches that RBAC is a 
form of provisioning that gives a use access to files based on a person's role in an organization 
(1|9) to improve efficiency (1|8). Therefore, it would have been obvious to one having ordinary 
skill in the art at the time the invention was made to verify the request by comparing the 
request/authorization header to criteria defined by a business rule. One of ordinary skill in the 
art would have been motivated to perform such a modification to improve efficiency, as taught 
by GuUotta (118-9). 

Regarding claim 22, Hu, as modified above, lacks comparing a user ID to criteria defined 
by a business rule. However, GuUotta teaches that RBAC is a form of provisioning that gives a 
use access to files based on a person's role in an organization (T]9) to improve efficiency (1|8). 
Therefore, it would have been obvious to one having ordinary skill in the art at the time the 
invention was made to verify the request by comparing the request/authorization header to 
criteria defined by a business rule. One of ordinary skill in the art would have been motivated to 
perform such a modification to improve efficiency, as taught by GuUotta (118-9). Further, 
LinuxGuruz teach that a user ID is commonly used to identify a user of a computer or group of 
computers (§user identifier). Therefore, it would have been obvious to one having ordinary skill 
in the art at the time the invention was made to compai'e a user ID against criteria defined by a 
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business rule. One of ordinary skill in the art would have been motivated to perform such a 
modification to allow a computer to identify a user, as taught by LinuxGuruz (§user identifier) to 
establish role-based permissions, as modified above by GuUotta (118-9). 

Regarding claim 23, Hu, as modified above, lacks explicitly comparing the organization 
of a user to criteria defined by a business rule. However, GuUotta teaches that a monitoring 
system can manage multiple organizations and as such, a user in a given organization will be 
restricted fi"om accessing other organizations' data (1168). Therefore, it would have been obvious 
to one having ordinary skill in the art at the time the invention was made to conq^are the 
organization of a user to criteria defined by a business rule. One of ordinary skill in the art 
would have been motivated to perform such a modification to manage multiple organizations, as 
taught by GuUotta (1|68). 

16. Claims 25-26 are rejected under 35 U.S.C. 103(a) as being unpatentable over Hu in view 
of LinuxGuruz, as applied to claim 14 above, in view of GuUotta, in further view of Apache. 
Hu, as modified above, lacks comparing information that identifies a computer/first server to 
criteria defined by a business rule. However, GuUotta teaches that RBAC is a form of 
provisioning that gives a use access to files based on a person's role in an organization (119) to 
improve efficiency (1|8). Therefore, it would have been obvious to one having ordinary skill in 
the art at the time the invention was made to verify the request by comparing the 
request/authorization header to criteria defined by a business rule. One of ordinary skill in the 
art would have been motivated to perform such a modification to improve efficiency, as taught 
by GuUotta (1|8-9). Further, Apache teaches that in HTTP authentication, it is known to restrict 
access to a web server based on a hostname (p. 5, 1|1). Therefore, it would have been obvious to 
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one having ordinary skill in the art at the time the invention was made to conf5)are information 
that identifies a computer to criteria defined by a business rule. One of ordinary skill in the art 
would have been motivated to perform such a modification to restrict access to a web server, as 
taught by Apache (p. 5, ^1). 



17. Any inquiry concerning this communication or earlier communications fi^omthe 
examiner should be directed to Michael J. Simitoski whose telephone number is (571) 272-3841. 
The examiner can normally be reached on Monday - Thursday, 6:45 a.m. - 4: 15 p.m.. The 
examiner can also be reached on alternate Fridays fi'om 6:45 a.m. -3:15 p.m. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

supervisor, Gregory Morse can be reached at (571) 272-3838, 

Any response to this action should be mailed to: 

Commissioner of Patents and Trademarks 
Washington, DC 20231 
Or faxed to: 



(571)273-3841 (Examiner's fax, for informal or draft communications, please 
label "PROPOSED" or "DRAFT") 

Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is 
(571) 272-2100. 



Information regarding the status of an appUcation may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
appHcations is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



Conclusion 



(703)746-7239 (for formal communications intended for entry) 
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October 26, 2004 
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